Cyber Crooks Target Public & Private Schools

A gang of organized cyber criminals that has stolen millions from businesses across the United States over the past month appears to have turned its sights on public schools and universities.

On the morning of Aug. 17, hackers who had broken into computers at the Sanford School District in tiny Sanford, Colorado initiated a batch of bogus transfers out of the school's payroll account. Each of the transfers was kept just below $10,000 to avoid banks' anti-money laundering reporting requirements, and went out to at least 17 different accomplices or "money mules" that the attackers had hired via work-at-home job scams.

A school employee spotted the bogus payments on the morning of the 19th, when the school district learned that $117,000 had been siphoned from its coffers by cyber crooks.

Sanford Superintendent Kevin Edgar said the school successfully reversed two of the transfers totaling $18,000, but that rest of the stolen money remains in limbo.

"We've been told that if we do get any more of these reversed, it may take 30 to 45 days to get that money back," Edgar said. Meanwhile, the school district's bank is playing hardball, insisting that the school is at fault for the unauthorized transfers.

The attack could mean fewer resources for the rural school district, which serves just 340 children. "That amount of money comes down to financing projects, such as maybe buying a new school bus, or updating our playground," Edgar said. "Those are the types of things that this missing money will have an impact on."

Technically, the bank is correct. Consumers typically have up to 60 days from the receipt of a monthly statement to dispute any unauthorized charges. In contrast, organizations and companies that bank online are regulated under the Uniform Commercial Code, which holds that commercial banking customers have roughly two business days to spot and dispute unauthorized activity if they want to hold out any hope of recovering unauthorized transfers from their accounts.

Some schools that have been hit by similar attacks have been luckier: They happen to bank with institutions that have decided that the potential public relations hit from being stingy with a school district may be more costly that simply eating the cost of the fraud.

Such was the case with the Sand Springs, Okla. school district, which was attacked by a cyber gang the week prior on Aug. 11. Sand Springs Superintendent Lloyd Snow said thieves stole roughly $150,000, after breaking into the company's online bank account and setting up two batches of fraudulent transfers.

Snow said the school was able to prevent about $80,000 worth of those transfer from going through, but that their bank agreed to cover the rest of the losses.

For now, Snow said, the school district is accessing its bank accounts via a dedicated, stand-alone system running a Live CD distribution of Linux, in a bid to minimize the chances that future malware may steal banking credentials (Live CD-based operating systems prevent the installation of rogue software, and automatically wipe all changes when the system is shut down).

"In our business, we're about teaching and learning, and in some cases we get lessons where we're the ones who need to learn a thing or two," Snow said. "This is one of those cases."

Also hit was Marian University, a Catholic university in Fond du Lac, Wisc. On Aug. 5, the thieves stole more than $189,000 by initiating bogus payroll transfers to 20 money mules. Marian Provost Dan Maloney said the school was able to recover just $54,000.

The thefts all appear related in at least one respect. With the help of the victims interviewed in this story, Security Fix was able to track down mules who said they were involved in each of the scams. All said they had been recruited via e-mail to sign up as "financial agents" at a company called Focus Group Inc. According to a write-up by money mule site tracker Bob Harrison, the Focus Group Web site may look legit, but is "just the latest of the numerous highly generic Russian scam websites that has been set up to form a front for a money laundering fraud job advertisement."

No one from Focus Group replied to Security Fix's attempts for comment.

At least two other mules contacted by Security Fix acknowledged receiving sub-$10,000 payments from accounts at the Sycamore Community Unit School District #427 in Sycamore, Ill, in mid-July. Sycamore Superintendent Wayne Riesen confirmed that the school district had experienced a breach at that time, but declined to comment further, except to say that the FBI was investigating the incident.

Update, Sept. 28, 11:04 p.m. ET: A story today in the Northwest Herald, a local news outlet for the McHenry County, Illinois area, follows up on the Sycamore Schools hack mentioned above, quoting school officials as saying thieves stole about $425,000 with the help of the Clampi Trojan. The school district has recovered some of the stolen funds, but is still out around $300,000.

Brian, I'm seeing a great deal of spam offering «jobs managing email, etc» on web fora such as Google Groups, etc, and can't help suspecting that many of these may constitute attempts to recruit so-called «mules». Perhaps something for Security Fix to investigate further ?...

Is it possible for businesses and schools to get insurance for these sorts of attacks? Or are the requirements of the insurance companies too strict in terms of security requirement for it to be worth it?

I just wonder if the school districts (and previously reported small business owners) could have done anything to prevent these losses. Did they used unpatched versions of Windows? ANY version of Windows?

It is the Bank Secrecy Act of 1970. Among other things, this act requires certain reporting requirements depending on the amount of money involved in a banking transaction.

From Wikipedia: "FinCEN Form 104 Currency Transaction Report (CTR): A CTR must be filed for each deposit, withdrawal, exchange of currency, or other payment or transfer, by, through or to a financial institution, which involves a transaction in currency of more than $10,000. Multiple currency transactions must be treated as a single transaction if the financial institution has knowledge that: (a) they are conducted by or on behalf of the same person; and, (b) they result in cash received or disbursed by the financial institution of more than $10,000. (31 CFR 103.22) "

The $10,000 reporting mechanism isn't there to prevent this kind of criminal activity. It exists to help track and prevent the moving of money for tax evasion purposes. Anytime any money exchanges hands, customer to business, business to business or bank to bank, over $10,000 it is reported to the IRS.

Banks should be required to publicly report all such losses that they know of each quarter, even though they may not be at fault.

Not as punishment, but just to encourage people to take more precautions, since I expect the numbers will be alarmingly high.

I suppose that would require aggregating the loss numbers to hide which banks had the biggest numbers. But we could hope that banks which consistently report only small losses due to improved transaction checking might want to advertise that fact.

First, for 'clicking' the box authorizing the money transfer, the software should require a mouse click on the screen, not a keyboard entry that leaves a record in memory that can be hacked..

Second, the authorization box on the screen to send the money should require the entry of a code number from a 'one time use' code card (a physical object in the hand of the operator of the mouse) and that code number entered by mouse clicking on a number array shown on the screen...

None of this is difficult for the software coders to include in the computer program nor will it cost money to execute...

Agree w/ iMac77. Banks have 'touted' online banking as safe and efficient for years, but when trouble rears its ugly head, they pass the buck AND deny the existence of trouble. Lots of other excellent contributions here, to my eyes.

This gang of thieves has done a diabolically efficient job targeting its victims. Wouldn't want to cross swords w/ the minds who conceived of this scheme, software. Eventually, this scam will come to an end. Unless these animals are sent to jail (fat chance!), they'll come up with something just as ingenious. This is a scary, smart group.

I hold US Patent 7,464,403 "secure mobile office application integration suite running entirely from CDROM". In the modern day, it's a DVD... but it's mostly hacker-proof, as it runs from read-only media. For now, it runs a 32-bit version of Linux, but it isn't restricted to that.

It's just one part of a sensible approach to protecting your enterprise.

First, make it hard to crack the OS. Make it impossible to alter the OS. Secure transactions with IPSEC, SSL, and Kerberos. Mount your read-write data with hair-trigger disconnects that will take your data offline at the first hint of nastiness. And though the OS is read-only, the logs are also hair-trigger and duplicate to storage behind the DMZ firewall.

This is common-sense stuff.

Why doesn't anyone take cybersecurity seriously? Mine isn't the only product that can help with this. Yet we who develop products to protect you are resoundingly ignored by both the business and government/military community.

The Bank Secrecy Act requires reporting to the IRS cash transactions in excess of $10,000. It does not require reporting of any other transactions over $10,000. There are bank recordkeeping requirements for certain other transactions, including wire transfer transactions, but reporting is not required.

You should know this stuff! There is BSA and also AML, Anti Money Laundering.

Reporting is not just $10k, there are other thresholds. It can get arcane and comples. That's what bit Eliot Spitzer, there is a lower threshold for "Persons Of Interest" (like foreign heads of state and various elected officials) to catch bribery and official corruption. Irony is that Spitzer used BSA/AML investigations as a major tool when he was prosecutor, and then got hoist on his own petard.

Anyway if you are in the banking business you should know all about this - get your corporate counsel to explain it - if they can't/won't then find some SME who can, or take an ABA course in it - you need to know it!

Well, there are any number of FORMER car salespersons out there today who can never again sell cars because they got caught some years back taking large amounts of cash [over 10k] in undercover sting operations from alleged purchasers who outright as much as said that they were drug dealers who needed to use up some of their drug money by making automobile purchases.

So certainly and at least originally the target of the cited law was money laundering operations.

I actually recall such an event from years ago when I was working in automotive sales at Croyste Toyota, which is today Beltway Toyota.

An African-American male came into the dealership after 8pm and stated that he wanted to purchase one of the more expensive cars the dealership had. When I tried to financially pre-qualify him, as we were required to do for all customers at that time, he became belligerent and stated that he had a trunk full of cash in his 'trade-in,' which had the front driver's side mirror torn loose, with evidence of a recent 'side swipe' that had not been repaired.

There was at least one suitcase filled with $100 bills in the trunk that he showed to me while also lecturing me about pre-judging who could and could not buy a car. In fact, we were well aware of the potential money laundering issue of a cash purchase under 'suspicious circumstances.'

I told him that I was going to have to do a 'turn over' to my manager at that time and my manager declined to sell him a car. A number of the salespersons called me an idiot for not just writing up the deal and making a commission, but that was what 'other salespeople' did who got burned and the manager wasn't about to take a chance.

So I lost that 'deal,' but it 'could have been a sting' because of just how blatant the customer was about the money in $100 dollar bills in a suitcase in the trunk of the 'trade-in' that went unrepaired.

Please read Section 103.100 of the Patriot Act. I has nothing to do with reporting anything over $10,000. Also, there is no requirement anywhere in the BSA or AML to routinely report to anybody ACH transactions of over $10,000. That is what was implied in the article. If that were true, banks would have to increase their staffs tenfold just to report that activity. As far as corporate counsel is concerned, I do my best to educate them in BSA and AML matters.

> ...initiated a batch of bogus transfers out
> of the school's payroll account...

From this and other similar stories it seems that code could be added to a bank's system to red-flag any sudden, uncharacteristic flurry of transfers from a particular account, especially if they're just under that $10,000 trigger-point. I don't think it would be a great problem to ensure that the program could differentiate between accounts that routinely have that kind of legitimate traffic and invasions such as this.